Think Like A Hacker With Wordfence

WordCamp Asia was cancelled this week due to concerns of COVID-19/coronavirus in the region. This week, Wordfence CEO Mark Maunder talks about the decision to offer the WordCamp Asia Cancellation Fee Assistance Package to attendees, volunteers, organizers, and speakers that had planned to travel to this inaugural regional WordCamp. We also cover a number of WordPress plugin vulnerabilities disclosed this week and over 500 malicious Chrome extensions removed from the Chrome Web Store affecting millions of browsers worldwide.

We take a look at the annual hacked site report from GoDaddy's Sucuri Security and the types of malware they found in various CMS and shopping cart applications. Microsoft reports they're finding 77,000 webshells daily, and WP Scan's roundup lists a number of popular plugins and themes with recent vulnerabilities. A report from students at Harvard University exposes the growing risks of online leaks & breaches.

Chloe Chamberland never wanted to get into security, and yet in the last three years, she has emerged as one of our most effective and prolific threat researchers. Not only does she find vulnerabilities in numerous popular plugins, she also travels the world while doing so. Chloe talked to me from a cabin in a remote area of Alaska, where she saw a moose for the first time. Chloe talks about how she got started in security and gives advice for young people who think they might enjoy security research. She also tells us why she loves speaking at WordCamps, the scariest vulnerability she's discovered, and also tells us she's working with more developers to make their code secure. In the news, I cover some recent WordPress plugin vulnerabilities, why cloud firewalls can be bypassed, and what site owners might need to watch for in Google Chrome's upcoming SameSite cookie changes.

Welcome to 2020! We're making some changes to Think Like a Hacker and wanted to let you know. We're moving to an audio-only version of the podcast, publishing twice per month. We also wanted to let you know about 3 major vulnerabilities in WordPress plugins potentially affecting over 400,000 WordPress installations. Details are on the Wordfence blog as well. 

We've had quite a year with Think Like a Hacker, the podcast about WordPress, security and innovation. For the end of year episode, we thought it would be fun to take a look back at a few of our favorite interviews and news stories. For episode 62, we review conversations with Josepha Haden, Brandy Lawson, Jennifer Bourn, Matt Cromwell, and we look back at the Pipdig story that created a furor earlier this year. Thank you to everyone who sat down with us over the first year of Think Like a Hacker, and thank you to our audience for listening, commenting, and helping Think Like a Hacker become what it is. We have big plans for 2020, and we hope you join us. Happy holidays to everyone celebrating, and we'll see you in 2020.   Here are timestamps if you'd like to jump around: 0:55 Josepha Haden on how she got involved with WordPress 1:59 Jon Brown talks about managing a remote team 3:50 Verious Smith's entrepreneurship journey 5:40 the Pipdig story with Mikey Veenstra 6:53 Ryan Dewhurst on the WP Vulnerability Da

With Google Chrome experimenting with a badge of shame for websites that load slowly in Chrome, there is a new urgency for high performance interfaces for web users. Gatsby, Gridsome and other static site interfaces are hot in the development community right now, especially when talking about headless WordPress. At WordCamp US, Mark chats with Dave Ryan about these technologies, reminding us that no matter the technology we use to create a website, our decisions during development matter to the end users' experience.

A small furor erupted over a top influencers in WordPress list that neglected to show the diverse nature of the WordPress community. We talk about the impossibility of making an accurate list that reflects the true nature of WordPress influence or contribution, and the diversity we saw during our work on Open, our film project about the WordPress community. We also talk about Google plans to give slow websites a new badge of shame in Chrome, password security updates in Chrome 79, and the DHS reconsiders a plan to use facial-recognition technology on all U.S. citizens traveling internationally.

Kim Gjerstad, one of the founders of Mailpoet, visited with Mark at the Wordfence booth at WordCamp US. Kim and Mark talked about the origins of Mailpoet, the plugin that gives users a full email management system within the WordPress administrative dashboard. They talk about email deliverability as well as the challenges of fighting email abuse, a constant battle that Mailpoet is winning. They also talk about net promoter scores and what it means for the success of a SaaS business.

Yoast, the SEO plugin installed on 9 million WordPress sites, ran a Black Friday sale, experimenting with an ad in the WordPress admin dashboard. The internet furor was dramatic, and Yoast's CEO Marieke van de Rakt took ownership, showing exceptional leadership. We discuss the ad and the response from both users and competitors and the challenges of running a plugin business under a freemium model. We also cover stories about AVG and Avast browser extensions, the Magento Marketplace hack, the private equity purchase of .org and a data leak affecting 1.2 billion people.

Maddy Osman is a SEO content strategist that has worked with a number of familiar brands in both the WordPress and SaaS spaces. She spoke at WordCamp US and took some time to chat with us at the Wordfence sponsor booth. Maddy talks about how she got started in SEO content strategy after doing web design and development, and also what the entrepreneurial journey has been like for her. Maddy also shows off some of her lock picking skills she picked up while hanging out at the Wordfence booth.

In Episode 56, we review the premiere of Open, The Community Code, a film about the WordPress community that world premiered at Matt Mullenweg's State of the Word Keynote at WordCamp US. Mark and Kathy talk about what it was like watching friends in the community see the film for the first time. We also discuss recent updates to WordPress in version 5.3, especially some of the improvements to the new Gutenberg editor, accessibility, and site health. We also review Google Chrome's plans to warn and block mixed content and how site owners can prepare now for these upcoming changes.

At WordCamp US in Saint Louis, Mark sat down with Yoast CEO Marieke van de Rakt and COO Michiel Heijmans in the Wordfence booth to talk about not only how Yoast began, but also how they've grown to over 9 million active installations and the challenges of managing such a large user base. Marieke and Michiel also talk about the big changes coming in 2020 for the Yoast plugin as well as training and educational efforts via Yoast Academy.

Kathy Zant gave a presentation about The Hacker Mindset at WordCamp US 2019 in St. Louis. Learning to think like a hacker in the security realm is a big part of keeping your assets safe, and there are additional benefits. Kathy illustrates how the hacker mindset is much more than protecting your site. Thinking like a hacker can also help you break through perceived limitations, overcome obstacles, and capitalize on opportunities to innovate.

Mark and Kathy connect in person on Halloween in St. Louis to talk about what's happening at WordCamp US. We review what's new at WCUS, some of the more interesting sessions, and all of the fun activities Wordfence is bringing to North America's largest WordCamp. Kathy and Mark also tear down the 4th wall to talk to award-winning Director Sean Korbitz, the creative force behind OPEN | The Community Code, the movie about the WordPress community that premieres Saturday, November 2.

Andrea Zoellner has been an active organizer of WordCamp Montreal and is the Chief Content Creator at hosting provider, SiteGround. Andrea focuses on supporting SiteGround customers in the North American and English-speaking market. With a background in journalism, Andrea found WordPress as the easiest way to get online and integrate with different services. She talked with us at WordCamp Sacramento about how she got involved with WordPress and the community and how her position at SiteGround puts her in a unique position to innovate through new tools and services for WordPress customers at SiteGround.

This week, we cover WeWork's failed IPO and financial woes and how this likely led to Meetup's introduction of an RSVP fee. We discuss why this decision doesn't bode well for WeWork's future. We also look at the WordPress 5.2.4 security release and what fixes are included. We discuss the planned release of PHP 7.4 on November 28 and how WordPress core is preparing for this update. We also get a little excited about our plans for WordCamp US November 1-2 and our party to celebrate the worldwide premiere of the open source film about the WordPress community: Open, The Community Code.

Jennifer Bourn has been a leader in the WordPress community for years, helping WordPress users of all experience levels get the most out of the platform. She has also created beautiful websites for recognizable brands through her design company, Bourn Creative. At WordCamp Sacramento, we talked about how the WordPress community has opened new experiences for her entire family, her new ventures in training including Content Camp and the Profitable Project Plan, the Bourn family goal of visiting all national parks as well as the future of WordPress.

At WordCamp Minneapolis, our Lead Customer Service Engineer Tim Cantrell chats with Lindsey Miller about her work as Partner Marketing Manager at LiquidWeb. Tim and Lindsey also talk about the challenges of being a remote worker, and how the connections in the WordPress community can help individuals make connections that grow a business. Lindsey also turns the tables and interviews Tim, asking how he got involved in WordPress and came to be the lead customer service engineer at Wordfence.

Salesforce Ventures invested $300 million into Automattic at a $3 billion valuation. We discuss what this might mean for Automattic, the WordPress community, and the WordPress ecosystem by analyzing the roots of Salesforce and the opportunities it brings to WordPress. We also talk about features and fixes coming in November to WordPress 5.3 especially within the block editor and site health check. We also look at the DoorDash breach affecting nearly 5 million users.

At WordCamp Sacramento, Matt Cromwell from GiveWP talked to us about how Give began, their mission of democratizing generosity, and how they handled the vulnerability disclosure from the Wordfence team. When our security researchers reached out to provide a proof of concept, the Give and Wordfence teams worked together to ensure that the vulnerability was patched in the safest way possible. Matt also tells us how he got involved with WordPress and how he gives back to the community through the Advanced WordPress Facebook group with over 30,000 members.